b'                     AUDIT REPORT\n\n                Audit of NRC\xe2\x80\x99s Process for Placing Documents\n                in the ADAMS Public and Non-Public Libraries\n\n\n                      OIG-07-A-16     September 6, 2007\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                          September 6, 2007\n\n\n\n\nMEMORANDUM TO:              Luis A. Reyes\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S PROCESS FOR PLACING DOCUMENTS\n                            IN THE ADAMS PUBLIC AND NON-PUBLIC LIBRARIES\n                            (OIG-07-A-16)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Audit of NRC\xe2\x80\x99s\nProcess for Placing Documents in the ADAMS Public and Non-Public Libraries.\n\nThis report presents the results of the subject audit. Agency comments provided at the\nexit conference on June 1, 2007, have been incorporated, as appropriate, into this\nreport. The agency provided formal comments, which appear in Appendix C of the\nreport.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG follow up as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915, or Beth Serepca, Team Leader, Security and Information Management\nTeam, at 415-5911.\n\nAttachment: As stated\n\ncc:    V. Ordaz, OEDO\n       M. Malloy, OEDO\n       P. Tressler, OEDO\n\x0cElectronic Distribution\n\nFrank P. Gillespie, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nWilliam M. McCabe, Chief Financial Officer\nMargaret M. Doane, Acting, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Waste, Research,\n State, Tribal, and Compliance Programs, OEDO\nDarren B. Ash, Deputy Executive Director for Information Services\n and Chief Information Officer, OEDO\nVonna L. Ordaz, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nCynthia A. Carpenter, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n and Environmental Management Programs\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nR. William Borchardt, Director, Office of New Reactors\nMichael F. Weber, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c            Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\nEXECUTIVE SUMMARY\n\n        BACKGROUND\n\n                The U.S. Nuclear Regulatory Commission (NRC) relies on an\n                electronic recordkeeping system called the Agencywide Documents\n                Access and Management System (ADAMS) to maintain its public\n                and non-public official agency records. NRC staff decide whether\n                official agency records should be publicly or non-publicly available\n                based on agency criteria regarding document content. NRC\n                historically has strived for openness with the public. Since the\n                events of September 11, 2001, however, the agency has become\n                more restrictive in what it makes available to the public.\n\n                ADAMS has four libraries. Two libraries, the ADAMS Main Library\n                and the Legacy Library, are accessible to NRC staff but not to the\n                public. These libraries contain both public and non-public records.\n                The other two libraries, the Publicly Available Records System and\n                the Public Legacy Library, contain public records only.\n\n        PURPOSE\n\n                The audit objective was to determine the effectiveness and\n                consistency by which documents are profiled1 and processed for\n                entry into the public or non-public ADAMS libraries.\n\n        RESULTS IN BRIEF\n\n                NRC profiles most documents appropriately for inclusion in public\n                versus non-public ADAMS libraries; however:\n\n                \xc2\x99 The rationale for public versus non-public placements is not\n                  always clearly articulated in the agency\xe2\x80\x99s guidance, and\n                  documents are sometimes miscategorized.\n\n                \xc2\x99 NRC needs to improve its quality control approach to ensure\n                  proper profiling of ADAMS records as public or non-public.\n\n\n\n\n1\n Profile information is descriptive information about the record, such as document title,\nsensitivity, availability (public or non-public), document date, ADAMS accession number, and\nnumber of pages.\n\n                                                 i\n\x0c            Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n                Rationale for Public Versus Non-Public Placements Is Not\n                Always Clearly Articulated in Guidance\n\n                NRC profiles most ADAMS records appropriately as public or non-\n                public. However, the Office of the Inspector General (OIG) found\n                that agency guidance did not explain the basis for placing\n                documents in the public or non-public libraries. The rationale for\n                placing about 14 percent of the non-public documents and about 17\n                percent of the public documents was not clearly articulated in the\n                guidance, and OIG also identified several specific instances of\n                miscategorized documents. This lack of clear rationale in the public\n                versus non-public profiling process occurs because agency\n                guidance on the subject is not consolidated and, in some cases, is\n                outdated. Furthermore, NRC does not offer training on making\n                public versus non-public determinations. As a result, NRC risks\n                releasing sensitive information to the public, which can impact\n                public safety. The agency also risks unnecessarily withholding\n                non-sensitive information, which can undermine public confidence\n                in NRC as a fair and unbiased regulator.\n\n                Improved Quality Control Approach Is Needed To Ensure\n                Proper Profiling of ADAMS Records\n\n                NRC needs to improve its quality control approach to ensure proper\n                profiling of ADAMS records as public or non-public. Specifically, (1)\n                the agency does not conduct regular reviews of all documents\n                placed in ADAMS to ensure proper placement in either the public or\n                non-public ADAMS libraries; (2) document originators do not\n                always complete NRC Form 665, an agency requirement; and (3)\n                some offices \xe2\x80\x93 which have instructed the Office of Information\n                Services (OIS) to intercept their incoming mail, determine\n                availability, and add it to ADAMS \xe2\x80\x93 do not routinely review whether\n                OIS has made the appropriate availability determination or follow\n                up on items designated non-public pending review.2\n\n                These conditions exist because the agency does not require\n                documentation explaining why ADAMS documents were\n                designated as public versus non-public and has not clearly\n                communicated quality control expectations to staff. As a result,\n                NRC cannot assess if it is meeting its criteria for ADAMS document\n                profiling and risks both inappropriate release of information to the\n                public and unnecessary withholding of information that should be\n                publicly available.\n\n2\n  Non-public pending review is the category NRC uses to designate items as non-public until the\nresponsible office reviews it and makes a final determination concerning public or non-public\navailability.\n\n                                                 ii\n\x0c   Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\nRECOMMENDATIONS\n\n      This report makes eight recommendations to support the public\n      versus non-public profiling process for ADAMS records. A\n      consolidated list of recommendations appears in Section V of this\n      report.\n\nAGENCY COMMENTS\n\n      At an exit conference held on June 1, 2007, agency managers\n      provided comments concerning the draft report. We modified the\n      report in response to the comments, as we deemed appropriate.\n      NRC reviewed these modifications and opted to submit formal\n      comments, which appear in Appendix C of this report.\n\n\n\n\n                                       iii\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n\n                   [Page intentionally left blank.]\n\n\n\n\n                                    iv\n\x0c      Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n         ADAMS            Agencywide Documents Access and Management\n                          System\n\n         E-RIDS           Electronic Regulatory Information Distribution System\n\n         MD               Management Directive and Handbook\n\n         NRC              U.S. Nuclear Regulatory Commission\n\n         OIG              Office of the Inspector General (NRC)\n\n         OIS              Office of Information Services\n\n         PII              Personally Identifiable Information\n\n         SUNSI            Sensitive Unclassified Non-Safeguards Information\n\n\n\n\n                                          v\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n\n                   [Page intentionally left blank.]\n\n\n\n\n                                    vi\n\x0c           Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\nTABLE OF CONTENTS\n\n\n    EXECUTIVE SUMMARY.........................................................................i\n\n    ABREVIATIONS AND ACRONYMS ......................................................v\n\n    I.      BACKGROUND .............................................................................1\n\n    II.     PURPOSE......................................................................................2\n\n    III.    FINDINGS ......................................................................................3\n\n            A.     RATIONALE FOR PUBLIC VERSUS NON-PUBLIC PLACEMENTS IS\n                   NOT ALWAYS CLEARLY ARTICULATED IN GUIDANCE ....................3\n\n            B.     IMPROVED QUALITY CONTROL APPROACH IS NEEDED TO\n                   ENSURE PROPER PROFILING OF ADAMS RECORDS .................10\n\n    IV.     AGENCY COMMENTS ................................................................16\n\n    V.      CONSOLIDATED LIST OF RECOMMENDATIONS ....................17\n\nAPPENDIXES\n\n    A.      SCOPE AND METHODOLOGY...................................................19\n\n    B.      FORMS 665S AND 665P .............................................................21\n\n    C.      AGENCY COMMENTS ................................................................23\n\n\n\n\n                                                   vii\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n\n                   [Page intentionally left blank.]\n\n\n\n\n                                    viii\n\x0c             Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\nI.    BACKGROUND\n\n                NRC has relied, since April 2000, on an electronic recordkeeping\n                system called ADAMS to maintain its public and non-public official\n                agency records.3 As of March 2007, ADAMS held about 821,000\n                records. During the 6-month period from mid-September 2006\n                through mid-March 2007, an average of 5,883 new records were\n                added to ADAMS each month, and about 50 percent of these were\n                made public. 4\n\n                ADAMS holds records generated both externally and internally.\n                The term externally generated records refers to materials that are\n                developed outside of the agency and sent to NRC. These items\n                include correspondence from licensees, the public, other Federal\n                agencies, research laboratories, and foreign governments.\n                Internally generated records are materials developed within NRC\n                such as correspondence to licensees or to the public, policy\n                papers, bulletins, and inspection reports.\n\n                Public and Non-Public Records\n\n                NRC staff decide whether official agency records should be publicly\n                or non-publicly available based on agency criteria regarding\n                document content. NRC historically has strived for openness with\n                the public. Since the events of September 11, 2001, however, the\n                agency has become more restrictive in what it makes available to\n                the public. Prior to September 11, the agency\xe2\x80\x99s policy was to\n                automatically make information publicly available that was\n                anticipated to be of interest to the public without anyone having to\n                file a Freedom of Information Act request. Following September\n                11, the agency revised its standard for withholding information from\n                the public to include information that \xe2\x80\x9ccould reasonably be expected\n                to be useful to terrorists in planning or executing an attack.\xe2\x80\x9d Now,\n\n\n\n\n3\n  Official agency records are all books, papers, maps, photographs, and other documentary\nmaterials made or received by a Government agency in connection with the transaction of public\nbusiness and preserved by that agency as evidence of the organization, functions, policies,\ndecisions, procedures, operations, or other Government activities or because of the informational\nvalue of data they contain.\n4\n  ADAMS does not hold records containing classified, safeguards, or allegations information, and\ndoes not hold most Office of Investigations or Office of the Inspector General records or records\non personnel matters. (Safeguards information specifically identifies the detailed security\nmeasures of a licensee or an applicant for the physical protection of special nuclear material; or\nsecurity measures for the physical protection and location of certain plant equipment vital to the\nsafety of production or utilization facilities.)\n\n                                                 1\n\x0c         Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n            certain items that were once publicly available, such as information\n            on plant configurations or conditions that could be useful to an\n            adversary, are considered sensitive and are routinely designated as\n            non-public.\n\n            ADAMS has four libraries. Two libraries, the ADAMS Main Library\n            and the Legacy Library, are accessible to NRC staff but not to the\n            public. These libraries contain both public and non-public records.\n            The other two libraries, the Publicly Available Records System and\n            the Public Legacy Library, contain public records only. NRC staff\n            can access all ADAMS libraries via the agency\xe2\x80\x99s Intranet.\n            Members of the public can access the public libraries via NRC\xe2\x80\x99s\n            Website using a standard Web browser, but cannot access the\n            non-public libraries.\n\n            OIS estimates it will spend $705,000 in FY 2007 to maintain and\n            operate ADAMS, $730,000 to enhance the system, and $3 million\n            for OIS activities related to processing documents into ADAMS\n            records. There are currently 18 staff assigned to support system\n            operations, enhancements, and program management and 2 staff\n            working on the activities necessary to prepare a business case for\n            replacing the current ADAMS system with new technology.\n\nII.   PURPOSE\n\n            The audit objective was to determine the effectiveness and\n            consistency by which documents are profiled and processed for\n            entry into the public or non-public ADAMS libraries. The audit was\n            initiated in response to a letter sent to NRC\xe2\x80\x99s Inspector General by\n            a public interest group. The letter reported several specific\n            instances of NRC miscoding documents as non-publicly available\n            when the items should have been publicly available. Appendix A\n            contains information on the audit scope and methodology.\n\n\n\n\n                                             2\n\x0c        Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\nIII. FINDINGS\n\n           NRC profiles most documents appropriately for inclusion in public\n           versus non-public ADAMS libraries; however:\n\n           \xc2\x99 The rationale for public versus non-public placements is not\n             always clearly articulated in the agency\xe2\x80\x99s guidance, and\n             documents are sometimes miscategorized.\n           \xc2\x99 NRC needs to improve its quality control approach to ensure\n             proper profiling of ADAMS records as public or non-public.\n\n           By consolidating agency guidance and improving agencywide\n           quality control expectations, NRC will better assure that its records\n           are designated public and non-public in accordance with agency\n           guidance while protecting sensitive information from improper\n           disclosure.\n\n   A.   Rationale for Public Versus Non-Public Placements Is Not Always\n        Clearly Articulated in Guidance\n\n           NRC profiles most ADAMS records appropriately as public or non-\n           public. However, the Office of the Inspector General (OIG) found\n           that agency guidance did not explain the basis for placing\n           documents in the public or non-public libraries. The rationale for\n           placing about 14 percent of the non-public documents and about 17\n           percent of the public documents was not clearly articulated in the\n           guidance, and OIG also identified several specific instances of\n           miscategorized documents. This lack of clear rationale in the public\n           versus non-public profiling process occurs because agency\n           guidance on the subject is not consolidated and, in some cases, is\n           outdated. Furthermore, NRC does not offer training on making\n           public versus non-public determinations. As a result, NRC risks\n           releasing sensitive information to the public, which can impact\n           public safety. The agency also risks unnecessarily withholding\n           non-sensitive information, which can undermine public confidence\n           in NRC as a fair and unbiased regulator.\n\n           Agency Guidance\n\n           NRC guidance to staff on what agency information should be\n           publicly and non-publicly available is contained in Management\n           Directive and Handbook (MD) 3.4, Release of Information to the\n           Public; Yellow Announcement 2005-077, Policy Revision: NRC\n           Policy and Procedures for Handling, Marking, and Protecting\n           Sensitive Unclassified Non-Safeguards Information (SUNSI);\n           Yellow Announcement 2006-069, Protection of Personally\n\n                                            3\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n   Identifiable Information; SECY-04-0191, Withholding Sensitive\n   Unclassified Information Concerning Nuclear Power Reactors from\n   Public Disclosure; and Attachment 2 to RIS 2005-31, Control of\n   Security-Related Sensitive Unclassified Non-Safeguards\n   Information Handled by Individuals, Firms, and Entities Subject to\n   NRC Regulation of the Use of Source, Byproduct, and Special\n   Nuclear Material.\n\n   Last revised in December 1999, MD 3.4 states that it is NRC\xe2\x80\x99s\n   policy to make available to the public as much as possible of its\n   health and safety mission-related information. MD 3.4 includes a\n   53-page listing of office-specific products that should be routinely\n   released to the public and several pages of materials that are not\n   routinely released to the public. Products routinely released,\n   according to MD 3.4, include inspection reports, correspondence\n   related to license amendments, NRC bulletins and licensee\n   responses, and Commission meeting transcripts. Products not\n   routinely released, according to MD 3.4, include records sent to or\n   received from foreign governments, correspondence with other\n   Federal agencies, predecisional information, and routine\n   administrative records.\n\n   The agency\xe2\x80\x99s SUNSI policy, issued in October 2005, focuses on\n   seven categories of information that should not be released\n   publicly. These categories are allegation information; investigation\n   information; security-related information; proprietary information;\n   Privacy Act information; Federal, State, Foreign Government, and\n   International Agency Controlled Information; and sensitive internal\n   information. SUNSI is defined as, \xe2\x80\x9cany information of which the\n   loss, misuse, modification, or unauthorized access can reasonably\n   be foreseen to harm the public interest, the commercial or financial\n   interests of the entity or individual to whom the information pertains,\n   the conduct of NRC and Federal programs, or the personal privacy\n   of individuals.\xe2\x80\x9d\n\n   NRC also directs employees to protect personally identifiable\n   information from public release, in accordance with Office of\n   Management and Budget guidance. According to Yellow\n   Announcement 2006-069, personally identifiable information is\n   information that can be used to identify or contact a person\n   uniquely or can be traced back to a specific individual (i.e., a\n   person\xe2\x80\x99s name in combination with other information such as\n   relatives\xe2\x80\x99 names, postal address, home e-mail address, home or\n\n\n\n\n                                    4\n\x0c             Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n                cellular telephone number, social security number, date or place of\n                birth, mother\xe2\x80\x99s maiden name, driver\xe2\x80\x99s license number, credit card\n                information, or any information that would make the individual\xe2\x80\x99s\n                identity easily traceable).\n\n                Inconsistencies and Miscategorizations Occur\n\n                NRC profiles most ADAMS records appropriately as public or non-\n                public; however, some inconsistencies and miscategorizations\n                occur.\n\n                Random Sample\n\n                Auditors randomly sampled 10 percent of the 6,5595 public and\n                non-public official agency records added to ADAMS in\n                December 2006 to assess whether their public or non-public\n                designation was in accordance with agency guidance.6 This review\n                found that the rationale for designating about 14 percent of the non-\n                public documents and about 17 percent of the public documents as\n                such was not clearly articulated in MD 3.4, SUNSI, or Personally\n                Identifiable Information (PII) guidance. Auditors did not consider\n                these items to be misplaced in either the public or non-public\n                libraries, but instead focused on the absence of clear, criteria-\n                based justification for making the documents publicly versus non-\n                publicly available. The non-public placements were questioned by\n                auditors because (1) similar items were available in public ADAMS,\n                (2) the items were addressed to a public interest group, or (3) the\n                item corresponded to an MD 3.4 category, suggesting it ought to be\n                public. The public placements were questioned in most cases\n                because (1) MD 3.4 did not mention the product type reviewed or\n                (2) the submitting office was not listed in MD 3.4.\n\n                Examples of questionable non-public placements included an NRC\n                letter to a Michigan public interest group which included the\n                handwritten notation, \xe2\x80\x9cpublic,\xe2\x80\x9d at the bottom or the page, non-\n                sensitive inspection reports, and a county\xe2\x80\x99s emergency response\n                plan, which the county considers public information. Examples of\n                questionable public placements included materials corresponding\n                to parts of the Code of Federal Regulations that are not listed in MD\n                3.4, such as correspondence related to license renewal or early site\n                applications, information concerning a licensee\xe2\x80\x99s credit report, and\n\n5\n  The 6,559 figure includes both new records added to ADAMS and old \xe2\x80\x9cretrofit\xe2\x80\x9d records that\npredate ADAMS and which NRC has recently approved for scanning and inclusion in ADAMS.\n6\n  To conduct the review, auditors located the sampled documents in ADAMS, examined the\ncontent, and attempted to find criteria within MD 3.4, SUNSI, and PII guidance that would justify\nits placement in public or non-public ADAMS.\n\n                                                 5\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n   instrument calibration records for thermometers and gauges.\n   Auditors did not perceive any risk associated with these public\n   placements, but noted that the agency\xe2\x80\x99s criteria for making public\n   placements did not explain why these placements would be proper.\n\n   Non-Random Examples\n\n   Auditors also learned of specific documents incorrectly profiled for\n   public or non-public availability in ADAMS. In August 2006, a\n   public interest group contacted OIG to relay two specific examples\n   of documents miscoded as non-publicly available in ADAMS when\n   they should have been publicly available. The representative said\n   that this has happened before and that whenever it does, he\n   contacts NRC to ask for a correction. In his experience, the agency\n   always reviews and corrects the matter promptly; however, the\n   errors caused him to question how many other documents are\n   miscoded but not caught.\n\n   Auditors also identified examples of document types that were\n   treated inconsistently in terms of the public or non-public\n   designation. These included safety inspection reports, staff trip\n   reports, and delegations of authority. Auditors could not determine\n   any difference between these items that would justify this different\n   treatment in terms of availability.\n\n   Another example of inconsistent treatment pertains to emergency\n   preparedness exercise materials, which are sometimes placed into\n   non-public ADAMS and sometimes not placed into ADAMS at all,\n   depending on how the licensee submits them to NRC. In January\n   2007, a power plant licensee mailed information it deemed\n   sensitive concerning an upcoming emergency preparedness\n   exercise to NRC in accordance with agency requirements. The\n   licensee requested that the document be non-public and,\n   furthermore, that it not be provided to NRC exercise participants\n   until after the exercise, which was to occur in April. This precaution\n   was intended to enhance the integrity of the emergency\n   preparedness exercise. While the letter was placed in non-public\n   ADAMS in accordance with the licensee\xe2\x80\x99s request, it was also\n   made available to all NRC staff without restriction, including those\n   who would be exercise participants.\n\n   An NRC emergency preparedness inspector acknowledged that the\n   agency is inconsistent in handling emergency preparedness\n   exercise information submitted by licensees. He said that when a\n   licensee provides this information in hard copy to an emergency\n   preparedness inspector, it will not be placed in ADAMS at all, but\n\n                                    6\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n   that when the licensee mails it to headquarters, it is placed in\n   ADAMS. The inspector said that he and other inspectors have\n   sought instruction from headquarters on how to handle emergency\n   preparedness exercise materials, but it was never provided.\n\n   Guidance and Training Are Needed\n\n   Inconsistent and incorrect public and non-public designations are\n   made because NRC has not provided consolidated, up-to-date\n   guidance to staff on what items should be public or non-public and\n   NRC does not offer training on the public versus non-public\n   decisionmaking process.\n\n   Outdated Guidance\n\n   NRC guidance on making public versus non-public determinations\n   is not consolidated and MD 3.4 is outdated and sometimes\n   inaccurate.\n\n   It is essential that staff undertake a hierarchical approach to making\n   public versus non-public determinations in that first, an employee\n   must decide whether an item is sensitive per SUNSI or personally\n   identifiable information criteria. If an item is sensitive it will need to\n   be non-public; however, if it is not sensitive the employee must then\n   apply MD 3.4 criteria to assess whether it should be made public.\n\n   Despite the importance of a hierarchical approach, it is not\n   adequately addressed in agency guidance. First, MD 3.4 predates\n   the agency\xe2\x80\x99s SUNSI and PII policies and therefore does not\n   mention these sets of screening criteria. Second, neither the\n   agency\xe2\x80\x99s guidance on SUNSI nor its guidance on PII fully describes\n   the relationship among the three types of criteria. While PII\n   guidance includes a reference to SUNSI, it does not mention MD\n   3.4, whereas SUNSI guidance refers to MD 3.4 but not to PII.\n   Finally, NRC Form 665, ADAMS Document Submission, requires\n   proof that a SUNSI review occurred for NRC-generated documents\n   or packages being routed for concurrence and for paper documents\n   and packages that contain a mix of paper and electronic documents\n   submitted to ADAMS. However, the form does not require\n   evidence that a personally identifiable information review was\n\n\n\n\n                                    7\n\x0c            Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n               conducted. Appendix B contains copies of two versions of\n               Form 665 used by agency staff; 665P is used for packages7 of\n               documents added to ADAMS and 665S is used for single\n               documents.\n\n               MD 3.4 also contains information that is no longer accurate. For\n               example, this guidance states that power plant fire protection plans,\n               Final Safety Analysis Reports, and emergency plans are routinely\n               made public even though this is no longer the case. Organizational\n               changes that have occurred since the directive\xe2\x80\x99s issuance in 1999\n               mean that office names and record types are not all reflected, and\n               while MD 3.4 strives to be all-inclusive, it is not.\n\n               Because MD 3.4 is inaccurate, staff do not use it to make public\n               versus non-public decisions. Instead, based on OIG\xe2\x80\x99s staff\n               interviews, staff focus primarily on the need to protect sensitive\n               information. When it comes to deciding what to release to the\n               public, they rely on past practice, on-the-job experience, guidance\n               from co-workers, and the concurrence process to make the right\n               determination.\n\n               Agency comments provided subsequent to the exit conference\n               stated that while MD 3.4 does not refer to PII because the directive\n               predated this category of information as a Federal policy issue, MD\n               3.4 does refer to personal information as a screening criteria. In\n               addition, the agency comments stated that MD 3.4 is currently\n               being rewritten to include recent policy developments.\n\n               Training\n\n               NRC offers six ADAMS training courses, but none on the\n               decisionmaking process for determining public and non-public\n               availability. According to a headquarters training center staff\n               member, the courses focus on the mechanics of ADAMS and not\n               ADAMS related policies.\n\n               Impact on Safety and Public Confidence\n\n               As a result of document profiling inconsistencies and errors, NRC\n               risks releasing sensitive information to the public, which can impact\n               public safety. The agency also risks unnecessarily withholding\n               non-sensitive information, which can undermine public confidence\n               in NRC as a fair and unbiased regulator. During NRC\xe2\x80\x99s 2007\n\n7\n A package stores a group of pointers to related documents. These may include a main\ndocument which is a cover letter, and one or more attachments. Large documents may be\ndivided into smaller files that are packaged together to make them easier to work with.\n\n                                                8\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n   Regulatory Information Conference, public stakeholders reiterated\n   the importance of open communications with NRC, noting that\n   public access to information remains a strong concern.\n\n   Recommendations\n\n   OIG recommends that the Executive Director for Operations:\n\n   1.    Update MD 3.4 so it reflects the underlying principles of how to\n         determine whether an official agency record should be public\n         or non-public, and describes the relationship with other agency\n         reviews for information sensitivity (e.g., personally identifiable\n         information, SUNSI).\n\n   2.    Create a supplemental guidance document that is updated\n         routinely to include, to the extent practicable, categories of\n         information routinely not made public.\n\n   3.    After MD 3.4 and supporting guidance are updated and\n         consolidated, conduct a training needs analysis and develop\n         appropriate training for staff with responsibilities for\n         determining whether ADAMS records should be publicly or\n         non-publicly available.\n\n\n\n\n                                    9\n\x0c            Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n     B.    Improved Quality Control Approach Is Needed To Ensure Proper\n           Profiling of ADAMS Records\n\n               NRC needs to improve its quality control approach to ensure proper\n               profiling of ADAMS records as public or non-public. Specifically, (1)\n               the agency does not conduct regular reviews of all documents\n               placed in ADAMS to ensure proper placement in either the public or\n               non-public ADAMS libraries; (2) document originators do not\n               always complete NRC Form 665, an agency requirement; and (3)\n               some offices \xe2\x80\x93 which have instructed OIS to intercept their\n               incoming mail, determine availability, and add it to ADAMS \xe2\x80\x93 do not\n               routinely review whether OIS has made the appropriate availability\n               determination or follow up on items designated non-public pending\n               review.\n\n               These conditions exist because the agency does not require\n               documentation explaining why ADAMS documents were\n               designated as public versus non-public and has not clearly\n               communicated quality control expectations to staff. As a result,\n               NRC cannot assess if it is meeting its criteria for ADAMS document\n               profiling and risks both inappropriate release of information to the\n               public and unnecessary withholding of information that should be\n               publicly available.\n\n               Quality Control Expectations\n\n               Quality control strategies are essential to ensure that staff follow\n               agency guidance on when to profile ADAMS records as public or\n               non-public. Such strategies include (1) regular reviews of ADAMS\n               documents to determine how well staff are applying NRC\xe2\x80\x99s criteria\n               for public and non-public designations, (2) provision of clear\n               instructions to staff who have responsibilities associated with\n               completing the public versus non-public portion of the ADAMS\n               document profile, and (3) office verification and followup in cases\n               where OIS profiles incoming mail as public, non-public, or non-\n               public pending review and adds the document to ADAMS before\n               the office has a chance to see it.\n\n               Agency guidance is limited on what quality control measures are\n               needed to ensure that ADAMS documents are profiled correctly for\n               public or non-public availability, although the agency does\n               communicate some expectations in the ADAMS Desk Reference\n               Guide and in ADAMS training courses. This guidance states that\n               document originators8 must complete NRC Form 665 for every\n8\n  Document originator is the term used to indicate the person who wrote the document and is\ntherefore most familiar with the document content.\n\n                                                10\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n   record added to ADAMS. This form asks the originator to verify\n   that the SUNSI review occurred and to specify key profiling\n   elements including whether the record is to be publicly or non-\n   publicly available.\n\n   In addition, the guidance states that offices, regions, and OIS are\n   jointly responsible for adding documents to ADAMS and ensuring\n   that they are correctly profiled for public or non-public availability.\n   This cooperative approach is particularly important for offices that\n   instruct OIS to intercept their external mail and assign document\n   availability as public, non-public, or non-public pending review.\n   While OIS makes this initial designation based on instructions\n   provided by the addressee office, the addressee office is then\n   expected to review the profiles for appropriateness and make the\n   final determination concerning these items. Until an office makes\n   this final determination, the items will remain inaccessible to the\n   public, even if the ultimate decision is to release them publicly.\n\n   Improved Quality Control Measures Are Needed\n\n   NRC needs to improve its quality control measures to ensure\n   proper profiling of ADAMS records as public or non-public.\n   Specifically, (1) NRC does not conduct regular reviews of all\n   documents placed in ADAMS to ensure proper placement in either\n   the public or non-public ADAMS libraries; (2) document originators\n   do not always complete NRC Form 665 as required; and (3) some\n   offices do not routinely review their external mail, which OIS profiles\n   and adds to ADAMS, to verify and follow up on OIS\xe2\x80\x99s designation of\n   these records as public, non-public, or non-public pending review.\n\n   No Regular Review of ADAMS Records\n\n   NRC does not conduct regular reviews of ADAMS records to\n   assess whether their designation as public or non-public is\n   appropriate. OIS assigns one full-time employee to perform quality\n   control activities on ADAMS records. This employee reviews\n   ADAMS profiles to ensure they are filled out completely, conducts\n   searches to identify problem areas, and generates reports on the\n   timeliness with which NRC records are made public. However, the\n   employee does not attempt to assess whether agency staff are\n   applying criteria correctly in designating records as public or non-\n   public. According to agency comments provided subsequent to the\n   exit conference, there are also many OIS employees and\n   contractors who perform various ADAMS quality control activities\n   as part of their routine duties.\n\n\n\n                                    11\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n   OIG acknowledges that it would currently be difficult for NRC\n   routinely to review whether ADAMS documents are profiled\n   correctly as public or non-public due to a lack of information\n   available to support such reviews. Document originators are not\n   required to record their rationale for making a document public or\n   non-public; yet, their justification for making items public versus\n   non-public is not always readily apparent. Similar types of records\n   are found in both public and non-public ADAMS, and it is not\n   evident, based on the information in the ADAMS profile, why these\n   placements were made. Other items in the public library do not fit\n   any of the MD 3.4 categories and it is difficult to determine, in some\n   cases, why a document was made public. For example, as part of\n   its random sampling of ADAMS documents, OIG found four\n   instrument calibration records in public ADAMS, but could not\n   identify any MD 3.4 category that suggested this type of information\n   ought to be public. An agency manager noted that calibration\n   records are important in connection with planning for a high-level\n   waste repository, which is an MD 3.4 category. The manager\n   speculated that this could be the underlying rationale for placing the\n   reports in public ADAMS, but was not certain.\n\n   Form 665 Not Completed\n\n   Despite agency guidance stating that document originators\n   complete a Form 665 for every record added to ADAMS, this does\n   not always occur. OIG interviewed 25 NRC employees in 16\n   offices who had job responsibilities associated with ADAMS records\n   to assess their usage of Form 665. Staff from only seven offices\n   reported routinely using Form 665 according to agency guidance\n   (document originator completes form for each document submitted\n   to ADAMS), while staff from the other nine offices described less\n   frequent, inappropriate (e.g., Form 665 completed by administrative\n   staff instead of document originator), or no usage of the form at all\n   (see table 1 for a summary of office practices).\n\n\n\n\n                                    12\n\x0c            Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n\nTable 1. Office Use of Form 665\n\n\n    Office Routinely Uses According to Agency Guidance                                  7\n\n    Office Sometimes Uses                                                              4\n\n    Office Uses Alternative                                                            2\n\n    Office Secretary Completes With Verbal Instruction From\n                                                                                       1\n    Document Originator\n    Office Secretary Completes With No Instruction From\n                                                                                       1\n    Document Originator\n\n    Office Does Not Use Form 665 or Alternative                                         1\n\n    TOTAL OFFICES ASSESSED                                                             16\n\n               Profiles Not Reviewed\n\n               Although the process by which OIS profiles external mail depends\n               on offices to review the profiles to verify they are correct and\n               finalize items marked non-public pending review, a number of\n               offices do not perform this review. After OIS assigns availability to\n               intercepted mail based on office instructions, a notice is sent to the\n               addressee and/or a predefined distribution list of NRC employees\n               and organizations via the Electronic Regulatory Information\n               Distribution System (E-RIDS) that the record is in ADAMS.\n\n               NRC recently discovered a backlog of approximately 16,000\n               documents assigned non-public pending review status, indicating\n               that offices were not routinely reviewing their E-RIDS mailboxes to\n               make final determinations on items marked non-pending public\n               review.9 OIS subsequently sent an e-mail to all offices asking them\n               to take action concerning these documents. Offices were also\n               reminded that to avoid future backlogs, E-RIDS mailboxes should\n               be routinely checked so that items marked non-public pending\n               review can be assigned final availability status. OIS could not\n               provide a breakdown of how long the 16,000 documents had been\n               awaiting this type of review, but an OIS employee said that some of\n               the documents have been in that category since 2005.\n\n9\n  The OIS employee also explained that not all of the 16,000 documents represented incoming\nmail that OIS had screened and designated as non-public pending review. A portion of these are\nrecords created by staff and profiled as non-public pending review in order to flag these\ndocuments as still needing a final availability determination.\n\n                                                13\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n   OIG interviewed staff from three headquarters offices that have OIS\n   profile their external mail and found a lack of clarity concerning the\n   E-RIDS review process:\n\n   \xc2\x99 One individual reported regularly reviewing the E-RIDS mailbox\n     and forwarding any E-RIDS notifications to the subject matter\n     expert for review.\n\n   \xc2\x99 Another reported that while the E-RIDS mailbox is checked\n     several times daily, the notifications are not reviewed for non-\n     public pending review status. Instead, the subject line is\n     scanned and the item is forwarded to the office director who has\n     an interest in the subject matter.\n\n   \xc2\x99 Only one individual was aware of the E-RIDS review\n     requirement; this was because her office had recently received\n     the OIS e-mail reporting the backlog and she had been\n     assigned to clear it up.\n\n   Agency Needs To Document and Maintain Rationale for\n   Making Records Public and Non-Public and Better\n   Communicate Expectations\n\n   NRC does not routinely assess whether NRC staff are correctly\n   applying the agency\xe2\x80\x99s criteria for making records public or non-\n   public because document originators are not required to record\n   their rationale for designating a document as public or non-public.\n   In addition, there is no tool to facilitate such a review. While Form\n   665 could serve as a useful tool on which to record the basis for\n   why an item is designated as public or non-public, the form does\n   not request this type of information. Finally, there is no requirement\n   to retain the form.\n\n   In addition, NRC has not clearly communicated quality control\n   expectations to staff. Although the ADAMS Desk Reference Guide\n   and ADAMS training courses describe the importance of using\n   Form 665, these materials do not convey requirements and there is\n   no assurance that staff will be exposed to this information.\n\n   Also not clearly conveyed is the requirement for offices to review\n   their E-RIDS mail to verify that OIS availability profiling is correct or\n   make final determinations on incoming mail profiled as non-public,\n   pending review. While this expectation was recently conveyed in\n   the e-mail to staff describing the backlog of 16,000 documents in\n   non-public pending review status, the E-RIDS notices themselves\n   do not instruct the recipient that such a step is needed.\n\n\n                                    14\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n   Essentially, there is no red flag alerting staff that a document is in\n   need of further review prior to being assigned a permanent\n   availability.\n\n   Agency Cannot Assess Its Practice\n\n   Because NRC does not routinely review its records to ensure that\n   they are properly profiled as public or non-public, it cannot gauge\n   how successfully the criteria are applied or identify trends in\n   miscategorization. Furthermore, by not following up on documents\n   profiled in ADAMS as non-public pending review, NRC risks leaving\n   documents that should be made public in a non-public status for an\n   indefinite period of time.\n\n   Recommendations\n\n   OIG recommends that the Executive Director for Operations:\n\n   4.    Develop a mechanism to indicate the rationale for a public or\n         non-public designation. This rationale should be sufficiently\n         detailed to allow for an assessment of whether agency criteria\n         are being applied correctly.\n\n   5.    Require offices to use the mechanism developed in response\n         to recommendation 4 to provide the rationale for public or non-\n         public designation of official agency records.\n\n   6.    Conduct periodic assessments of the accuracy with which\n         NRC staff are applying the agency\xe2\x80\x99s criteria for designating\n         records as public or non-public by assessing a random sample\n         of records against the agency\xe2\x80\x99s criteria for making these\n         determinations.\n\n   7.    Inform NRC office directors of the number of non-public\n         pending review documents that have been awaiting review by\n         their office for at least 30 days.\n\n   8.    Add a non-public pending review category to E-RIDS\n         notifications and clarify the language in the notifications to\n         convey the need to finalize the document availability as either\n         public or non-public.\n\n\n\n\n                                    15\n\x0c        Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n\nIV.   AGENCY COMMENTS\n\n           At an exit conference held on June 1, 2007, agency managers\n           provided comments concerning the draft report. We modified the\n           report in response to the comments, as we deemed appropriate.\n           NRC reviewed these modifications and opted to submit formal\n           comments, which appear in Appendix C of this report.\n\n\n\n\n                                            16\n\x0c      Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\nV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n         OIG recommends that the Executive Director for Operations:\n\n         1.    Update MD 3.4 so it reflects the underlying principles of how to\n               determine whether an official agency record should be public\n               or non-public, and describes the relationship with other agency\n               reviews for information sensitivity (e.g., personally identifiable\n               information, SUNSI).\n\n         2.    Create a supplemental guidance document that is updated\n               routinely to include, to the extent practicable, categories of\n               information routinely not made public.\n\n         3.    After MD 3.4 and supporting guidance are updated and\n               consolidated, conduct a training needs analysis and develop\n               appropriate training for staff with responsibilities for\n               determining whether ADAMS records should be publicly or\n               non-publicly available.\n\n         4.    Develop a mechanism to indicate the rationale for a public or\n               non-public designation. This rationale should be sufficiently\n               detailed to allow for an assessment of whether agency criteria\n               are being applied correctly.\n\n         5.    Require offices to use the mechanism developed in response\n               to recommendation 4 to provide the rationale for public or non-\n               public designation of official agency records.\n\n         6.    Conduct periodic assessments of the accuracy with which\n               NRC staff are applying the agency\xe2\x80\x99s criteria for designating\n               records as public or non-public by assessing a random sample\n               of records against the agency\xe2\x80\x99s criteria for making these\n               determinations.\n\n         7.    Inform NRC office directors of the number of non-public\n               pending review documents that have been awaiting review by\n               their office for at least 30 days.\n\n         8.    Add a non-public pending review category to E-RIDS\n               notifications and clarify the language in the notifications to\n               convey the need to finalize the document availability as either\n               public or non-public.\n\n\n\n\n                                          17\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n\n                   [Page intentionally left blank.]\n\n\n\n\n                                    18\n\x0c      Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n                                                                                   Appendix A\nSCOPE AND METHODOLOGY\n\n         Auditors reviewed the ADAMS profiling process to determine the\n         effectiveness and consistency by which documents are profiled and\n         processed for entry into the public or non-public ADAMS libraries.\n         This audit was initiated in response to a letter sent to NRC\xe2\x80\x99s\n         Inspector General reporting two specific instances of NRC\n         miscoding documents as non-publicly available when the items\n         should have been publicly available.\n\n         The OIG audit team reviewed relevant criteria, including the\n         ADAMS Desk Reference Guide; Management Directive 3.4,\n         Release of Information to the Public; Yellow Announcement 2005-\n         077, Policy Revision: NRC Policy and Procedures for Handling,\n         Marking, and Protecting Sensitive Unclassified Non-Safeguards\n         Information (SUNSI); and Yellow Announcement 2006-069,\n         Protection of Personally Identifiable Information.\n\n         Auditors interviewed OIS staff and document originators and\n         administrative staff from 18 NRC offices, including the 4 NRC\n         regional offices. Auditors also interviewed a public interest group\n         representative and attended sessions addressing communications\n         issues at the agency\xe2\x80\x99s 2007 Regulatory Information Conference.\n\n         Auditors analyzed a 10-percent random sample of all agency\n         records added to ADAMS during December 2006 to determine the\n         consistency by which documents are designated public and non-\n         public according to current agency guidance. Auditors compared\n         MD 3.4, SUNSI, and personally identifiable information criteria to\n         each document to determine whether the agency\xe2\x80\x99s categorization\n         seemed appropriate.\n\n         This work was conducted from December 2006 through\n         March 2007, in accordance with generally accepted Government\n         auditing standards. Those standards require that we plan and\n         perform the audit to obtain sufficient, appropriate evidence to\n         provide a reasonable basis for our findings and conclusions based\n         on our audit objectives. We believe that the evidence obtained\n         provides a reasonable basis for our findings and conclusions based\n         on our audit objectives. The work was conducted by\n         Beth Serepca, Team Leader; Judy Gordon, Audit Manager; and\n         Jaclyn Storch, Management Analyst.\n\n\n\n\n                                          19\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n\n                   [Page intentionally left blank.]\n\n\n\n\n                                    20\n\x0c        Audit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n                                                                                    Appendix B.\nForms 665S and 665P\n\n\n\n\n                                            21\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n\n\n                                    22\n\x0cAudit of NRC\xe2\x80\x99s Process for Placing Documents in the ADAMS Public and Non-Public Libraries\n\n\n                                                                       Appendix C\n\n\n\n\n                                    23\n\x0c'